External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

virt-aa-helper: fix parsing security labels by introducing VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL

Browse Source 
When virt-aa-helper parses xml content it can fail on security labels.

It fails by requiring to parse active domain content on seclabels that
are not yet filled in.

Testcase with virt-aa-helper on a minimal xml:
 $ cat << EOF > /tmp/test.xml
<domain type='kvm'>
    <name>test-seclabel</name>
    <uuid>12345678-9abc-def1-2345-6789abcdef00</uuid>
    <memory unit='KiB'>1</memory>
    <os><type arch='x86_64'>hvm</type></os>
    <seclabel type='dynamic' model='apparmor' relabel='yes'/>
    <seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
EOF
 $ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \
   -u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml

Current Result:
 virt-aa-helper: error: could not parse XML
 virt-aa-helper: error: could not get VM definition
Expected Result is a valid apparmor profile

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Guido Günther <agx@sigxcpu.org>
This commit is contained in:
Christian Ehrhardt 2016-11-21 15:40:23 +01:00 committed by Guido Günther
parent bb738f9fcd
commit dffdac06c0
3 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/conf/domain_conf.c
View File

@ -16372,8 +16372,10 @@ virDomainDefParseXML(xmlDocPtr xml,
/* analysis of security label, done early even though we format it
* late, so devices can refer to this for defaults */
if (virSecurityLabelDefsParseXML(def, ctxt, caps, flags) == -1)
goto error;
if (!(flags & VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL)) {
if (virSecurityLabelDefsParseXML(def, ctxt, caps, flags) == -1)
goto error;
}
/* Extract domain memory */
if (virDomainParseMemory("./memory[1]", NULL, ctxt,

2
src/conf/domain_conf.h
View File

@ -2684,6 +2684,8 @@ typedef enum {
VIR_DOMAIN_DEF_PARSE_ABI_UPDATE = 1 << 9,
/* skip definition validation checks meant to be executed on define time only */
VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE = 1 << 10,
/* skip parsing of security labels */
VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL = 1 << 11,
} virDomainDefParseFlags;
typedef enum {

1
src/security/virt-aa-helper.c
View File

@ -705,6 +705,7 @@ get_definition(vahControl * ctl, const char *xmlStr)
ctl->def = virDomainDefParseString(xmlStr,
ctl->caps, ctl->xmlopt, NULL,
VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL |
VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE);
if (ctl->def == NULL) {